It is now common practice in packet-switched communication networks to provide ‘switching fabrics’ which interconnect a multiplicity of network units such as switches or routers to constitute a system that can be managed as if it were a single unit. In early forms of such switching fabrics, units were ‘stacked’ each with a connection to the next so as to form a daisy chain of units. The connection between the units was termed a ‘cascade connection’. If a packet were received at an external port of one of the units, that unit would perform an address look-up so as to determine whether the packet was destined for a port on the same unit or from a port on another unit. In the latter case, the packet would be directed to the cascade via a ‘cascade port’ which is intended to mean a port connected only internally of the system, that is to say not a port by which a packet can egress the system of interconnected units. On arrival at another or the next unit, a look-up would be performed until the correct egress port was found. A disadvantage with early forms of cascades was the maintenance of ‘synchronised’ look-up databases and/or the necessity to perform an address look-up in each unit until an appropriate egress port was found.
Prior application Ser. No. 10/337,299 for O'Neill et al, published as US-2004-0095928-A1 having inventors common to the present application and commonly assigned herewith describes an architecture which is not confined to being a daisy chain but may be a general mesh of network units. Here again, when a unit receives a packet, it performs a look-up to determine whether the packet can be forwarded from a port on the same unit or will have to be forwarded via a cascade port through at least one further unit until it reaches an egress or destination port.
In both O'Neill et al, supra, and Donoghue et al, Ser. No. 10/067,738, filed Feb. 8, 2002, having inventors common to the present application and commonly assigned herewith, a packet while it is within a cascade system has a temporary ‘header’ which comprises a destination port field, a source port field and a validity field which indicates that the destination port field is valid. The destination port field can identify an egress port for a unicast packet if the validity field is set appropriately. If the validity field is not set, it may signify either that a lookup has not been performed or that the packet is a multicast or broadcast packet. However, the validity field does not prescribe any precedence of forwarding instructions. The source port field indicates, as the name implies, the ingress port for the packet.
Security operations are becoming desirable features in network systems. One form of security operation is normally termed ‘IDS’ (intrusion detector system) or ‘IPS’ (intrusion prevention system) and a typical system employing IDS or IPS includes a DFA (deterministic finite-state automaton) which is used to detect any of a (usually) large number of digital signatures which have been determined to be undesirable. Typically a DFA is capable of detecting digital signatures comprising a string of hundreds of characters. A DFA typically comprises a character detector and memory which stores digital signatures as respective sequences of states. One example is given in prior copending U.S. patent application Ser. No. 11/064,257 for Furlong et al, entitled ‘Pattern matching using deterministic finite automata and organization of such automata’, filed Feb. 22, 2005 and commonly assigned herewith.
Other security operations which are now desirable are those of encryption and decryption. One example of the use of encryption is in the operation of virtual private networks which employ, for example, a tunnelling protocol encapsulated within UDP datagrams that are themselves encrypted within an IP (internet protocol) packet. An example is described in prior copending U.S. patent application for Loughran et al, entitled ‘Deciphering encapsulated and enciphered UDP datagrams’ filed Feb. 28, 2005 and commonly assigned herewith.
It should be understood that not all packets that are received by a network unit such as a switch or router require encryption or decryption. Moreover intrusion detection may be selected only for certain classes of packets, such as UDP packets or for packets having a particular combination of network addresses and/or ‘application port’ numbers. Whether a packet is encrypted and therefore requires to be processed by a decryption block can be determined by reference to a selection of fields in the header of a packet. For this purpose a ‘rules engine’ may be used, for example as described in prior U.S. patent application for O'Neill et al, Ser. No. 10/338,170, published as US-2004-0095936-A1 and commonly assigned herewith.
In order to integrate a security operation such as intrusion prevention into a switching fabric, changes have to be made to the ordinary forwarding model that is currently in use. For example, the forwarding device that possesses the ingress port may examine the packet's headers to determine whether any given packet should be diverted for analysis against a set of known signatures, for example using a DFA or otherwise. If the packet header determines that no analysis is required, the packet should be forwarded normally. If analysis is required, the packet should first be diverted to the IPS system instead of being forwarded to the egress port. If the intrusion prevention device is incorporated within a forwarder, e.g. a switch or router having a lookup database and a forwarding engine, the IPS ASIC has to perform a normal link layer (layer 2) or network layer (layer 3) forwarding operation. This has to take into account the ingress port on which the packet was received. This means that with reference to a particularly ingress port the forwarding can take place in two locations, either the normal ingress forwarder or the IPS device. This results in a system which is inherently more complicated as well as requiring a forwarding database and appropriate functionality in the IPS device.
Similar considerations apply if the security operation is encryption or decryption. More generally, if in a switching fabric or cascade system of the general kind described in the foregoing one provides an ancillary processing function which may or may not be required for any given packet, there is added complexity, additional latency and inconvenience associated with the provision of the forwarding function with the ancillary processing unit.